And do you think that the importance of these business skills is understood by most businesses, or is it still a fairly new way of thinking in the industry?  

I think this is emerging more and more, however it’s currently a ‘pre-trend,’ and I’m not sure a lot of businesses actually understand what they should be looking for in a CISO or the level that they should be hiring at. Many boards still think tech can solve all of their problems - that they can roll out shiny new toys and their security problems will be solved. One tip I can give to a business looking for a CISO or Head of Infosec, is that it is so important that they have the skills to be able to understand the business a whole and speak to business outcomes if they are ever going to be able to properly apply security solutions. There are also a variety of factors that should be considered when assessing the role, skills, background and budget and in fact whether to even hire directly or outsource.  

Through many conversations I’ve been having recently, I do think the industry is changing slowly, and the biggest shift that we need to make, in my opinion, for most large organisations, is to have reporting lines outside of IT, ideally directly into CFO or even COO. The security team should be working at board level to deal with cyber risk management as a strategic goal. This approach also removes conflicts of interest and ensures more effective oversight. Although this might not be the case for everyone!  

With your strong commercial background and experience in business management and consultancy, you will no doubt be a pro in managing senior stakeholder relationships. What advice would you have for CISOs who are trying to build up a good relationship with their board? Are there any top tips you could share for achieving buy in and effectively communicating your security vision with stakeholders?  

I think firstly we should acknowledge that it can be a real challenge to have a broad conversation about cyber security with the board. Everyone on the board has their own priorities and KPIs depending on their function - supply chain will have different targets to the CIO or the CMO. Everyone has very different goals and measures of success, and as a CISO you need to learn about, and understand, those differences. As we all know, people buy from people, so I take my previous experience as an account manager, and I apply it to my relationships with the board.  

My top tip for someone struggling to get their message across to the board is to organise a coffee with each individual stakeholder and understand what their world is like. Talk about what they do and how they do it, so you can build up a relationship and find out what makes them tick. Instead of talking about ransomware, ask them which suppliers they couldn’t do without for two weeks if faced with an incident, and their answers will give you your targets for third-party risk. When talking to the CFO, understand how you can help them to protect their bottom line.  

It again comes back to understanding business outcomes. How can you as a CISO help them to achieve their strategic goals, objectives, and ultimately, their bonuses? Once you have this insight you can go back to the board to discuss cyber security in a way that matters to each department, and in a targeted way to explain how cyber security will help them and the business overall.

How has 2022 been for you so far? Have there been any specific security challenges that you’ve been focused on?

In 2022 we’ve been coming to the end of a three-year security transformation strategy. Over the last three years we faced challenges, like all businesses during the Covid lockdown, but we were lucky that, due to how we operate, we were one of the few food delivery services able to stay open. We experienced an increase in costs, but also an increase in sales, and we also saw a rapid acceleration in innovation. Within security, we have therefore had to accelerate just as quickly to meet business needs, and we’re now looking at lots of exciting ways to better engage with our customers, as well as new routes to market.

We now all face both the energy and cost of living crisis, and business strategy has to adapt and pivot in response to economic conditions. An understanding of the business environment, and the unique challenges we face in 2022, is critical when it comes to managing risk. To be able to manage and deal with risk as a business we need to be able to focus and prioritise, to understand our exposure points and whether we need to address them.  

To do this we try to demonstrate an accelerated journey for our stakeholders– 1) here is your risk, 2) here are your options a, b, or c, 3) if you choose a, it will take you here, whereas b and c will take you here. This creates a process of business-driven prioritisation and helps the board to make decisions on how to mitigate risks. As a security team we can provide various solutions and options, but there should always be a business-based risk ownership model that results in business-based decisions.  

We'd love to hear more about the most effective strategies you've found to keep your security team agile, whilst still transforming organisational maturity and capabilities?  

Sure, so first I’ll explain how I definitely don’t approach security.  

Within the industry one of my biggest bug bears is vendor product marketing. Vendors are driving the market by encouraging security teams to buy more and more shiny tech, and promising ‘silver bullet’ purchases before even trying to understand business requirements. I really disagree with the compliance driven angle, where you aim to just tick a box without much (or often any) business context or understanding of the threats you face. This approach typically misses critical points, usually business context, alignment to threats and an appropriate view of your risk posture.

The result is that a lot of businesses build big programmes around security awareness and asset / vulnerability management for example without thinking about the threats they face and therefore the problems they are really trying to solve.

I always consider the cost of doing security compared to the Return on Investment and Value Realisation. Therefore, my approach to keeping my team agile and a programme that provides value to the business, is to keep a threat centric, risk-based approach to everything we do. Security controls need to provide both a reasonable baseline (think patching, MFA etc) but also intrinsically linked to both our important assets, and the adversaries that we face, giving us a unique risk profile. By rethinking the way we look at for example vulnerability management and awareness programmes, by becoming far more targeted on our approach, we can be focused on what really matters to the business, and in turn get much closer to answering the million dollar question  ‘how secure are we?’.  

Using a proactive approach of intelligence driven breach/attack simulation and control validation we are able to focus on the vulnerabilities that really matter to our business, helping reduce a typical vulnerability list of thousands down to a much more manageable and prioritised list, even just a handful. As an example, our VM tools might be telling us that a vulnerability is exploitable (or indeed being exploited) and we should fix it, but if the vulnerability is near the end of an otherwise robust Kill Chain of controls, or the actors exploiting it are only known to target say the Energy sector and you’re in retail, we don’t need to worry so much.

Thanks so much for sharing that Lee, and many of the vendor issues you’ve mentioned are very close to our heart and the approach we’re trying to change in the industry as well. Turning back now to your role, what do you enjoy most about the role of CISO?  

For me it has to be the variety of the role – you never know what is going to be happening each day and that’s exciting. In the role of a CISO, in one meeting we’re discussing the detail of DevSecOps code, and the next planning our security strategy, when we get interrupted and have to pivot into major incident mode. I think this is what keeps most security professionals interested – the variety day-to-day in what we could be dealing with and the opportunity to work with colleagues across the whole business.

And finally, is there a moment that you are most proud of in your career?  

My proudest moment was back when I worked at NCC Group. I led the team who built their original Managed Vulnerability Management Service, giving our customers a much more regular and consistent view of vulnerabilities and some expert resource on hand to guide and advise. On one particular occasion our team found something unusual in one of the scans, and when we investigated, we found that our customers’ entire customer base was accessible online due to a misconfigured FTP server. We obviously alerted our customer straight away, and they then called me to let me know that I had probably saved their job.

That call was a real highlight of my career, knowing that we averted a crisis before it happened, and that’s something that I still strive for today!

Thank you so much for your time today, Lee!

‍

Click here to read the other blogs in this series: 

• SI In Conversation with.. Howard Cribbs, CIO at SANS
• SI in Conversation with.. Rob Forster, Head of Cyber Security at Milk & More
• SI In Conversation with.. Matthew Bryant, CIO at 118 118 Money